Pages

Friday, January 15, 2010

Connecticut AG sues Health Net over security breach

HARTFORD, CT – Connecticut Attorney General Richard Blumenthal has filed a lawsuit against Health Net of Connecticut, alleging the company failed to secure patient medical records and financial information prior to a security breach.

Blumenthal filed the suit on Wednesday, calling it "historic." The lawsuit also asserts that Health Net failed to promptly notify consumers endangered by the security breach, which involved 446,000 Connecticut enrollees........

The case marks the first action by a state attorney general involving HIPAA violations since the Health Information Technology for Economic and Clinical Health Act (HITECH), contained in the American Recovery and Reinvestment Act of 2009, authorized state attorneys general to enforce HIPAA.

"Sadly, this lawsuit is historic – involving an unparalleled healthcare privacy breach and an unprecedented state enforcement of HIPAA," Blumenthal said. "Protected private medical records and financial information on almost a half million Health Net enrollees in Connecticut were exposed for at least six months – most likely by thieves – before Health Net notified appropriate authorities and consumers."

Health Net executives were not immediately available for comment.

The lawsuit also names UnitedHealth Groupm Inc. and Oxford Health Plans, LLC. While those companies did not cause the data breach, the companies have acquired ownership of Health Net of Connecticut.

According to the lawsuit, on or about May 14, 2009, Health Net officials learned that a portable computer disk drive disappeared from the company's Shelton office. The disk drive contained protected health information, Social Security numbers and bank account numbers for approximately 446,000 past and present Connecticut enrollees.

MIAOULIS NOTE: Lawsuits such as this increase the impact of breaches to all healthcare organizations. Identify your data and protect it (Encrypt) whenever possible. Make sure you have a tested incident response process which includes HITECH and your States Breach Notification requirements. The time to act is NOW.... The timeline is very interesting in that the breach occured prior to the HITECH compliance date, however state law was in affect. For a copy of the lawsuit: http://www.courthousenews.com/2010/01/15/HealthNet.pdf]